ProductHosted Payments

Secure Hosted Payments for ISV Platforms.
Zero PCI Infrastructure Required.

Drop a fully PCI-DSS SAQ A compliant hosted checkout into any web application in minutes. Card data is captured exclusively inside PSP-hosted iFrame SDKs — PayServ's servers never see raw cardholder data at any point.

PCI-DSS SAQ A iFrame Isolated Framework Agnostic Multi-PSP Failover

PCI-DSS SAQ A Compliance Architecture

PayServ Hosted Payments leverages Square's Web Payments SDK and Stripe Elements — both of which inject card input fields as cross-domain iFrames served directly from each PSP's secure CDN. Because the cardholder data environment is entirely owned and operated by the upstream PSP, merchants and PayServ qualify for SAQ A — the lightest PCI-DSS self-assessment questionnaire, requiring no network scans and no QSA on-site assessment.

Embedded Secure Checkout Workflows — Customisable for Any Web Framework

PayServ Hosted Payments provides a pre-built, fully configurable checkout UI component that can be embedded into React, Angular, Vue, plain HTML, or any other web framework through a single JavaScript SDK call. The visual output is completely white-label — your brand, your colours, your domain.

Under the hood, the card number, CVV, and expiry fields are rendered as separate iFrame elements injected directly from the PSP's CDN. This means the card data lives in a completely separate browsing context that your application — and PayServ's servers — cannot read, intercept, or modify.

  • Embeddable in any web framework
  • Full white-label UI customisation
  • Supports Apple Pay, Google Pay, ACH
  • Built-in 3DS2 / SCA handling
  • Multi-currency & multi-language support
Secure Checkout
$149.00
Secured by Square Web Payments SDK · iFrame from cdn.squareup.com
•••• •••• •••• ••••
iFrame · PSP CDN
MM / YY
iFrame · PSP CDN
•••
John Smith

The three highlighted fields above are iFrame elements injected directly from the PSP's CDN. Neither PayServ nor the merchant application can access their contents via JavaScript or DOM inspection.

How the iFrame Isolation Model Eliminates Your Compliance Scope

This section is provided for technical compliance reviewers at Stripe, Square, and acquiring banks assessing PayServ's CDE boundary.

1

SDK Script Loaded from PSP CDN

The Square Web Payments SDK or Stripe.js library is loaded directly from cdn.squareup.com or js.stripe.com — not proxied or rehosted by PayServ. The browser establishes a direct TLS session to the PSP's CDN.

2

Card Fields Injected as Cross-Domain iFrames

The SDK renders each sensitive input (card number, CVV, expiry) as a separate <iframe> element with an src pointing to a PSP-owned origin. The browser's same-origin policy prevents any parent-frame JavaScript from reading these field values.

3

PSP Tokenizes Within Its Own Origin

On submit, the PSP SDK sends the card data over a direct HTTPS connection from the iFrame context to the PSP's tokenization endpoint. A short-lived, opaque payment token (nonce) is returned to the parent page — never the raw card data.

4

PayServ Receives Only the Token

The payment token (nonce) is passed to PayServ's API. PayServ's server exchanges this nonce with the PSP to charge the underlying card. At no point does a PAN, CVV, or full expiry date transit PayServ's network or storage layer.

Container pattern — PayServ injects the PSP iFrame into these empty divs Raw CHD never touches this markup or your server
<!-- PayServ Hosted Payments SDK mount points -->
<!-- The PSP SDK populates each container with a cross-domain iFrame -->

<div id="card-container"></div>        <!-- Card number iFrame -->
<div id="expiry-container"></div>      <!-- Expiry iFrame      -->
<div id="cvv-container"></div>        <!-- CVV iFrame         -->

<!-- On submit: nonce returned to your app. PAN never leaves PSP origin -->

Everything You Need to Accept Payments

Full White-Label UI

Custom colours, fonts, logos, and domain — the checkout looks and feels entirely like your brand, not PayServ's.

Multi-PSP Failover Routing

If the primary PSP is down, PayServ silently reroutes the checkout session to the next eligible gateway — invisible to the cardholder.

Global Currency Support

140+ currencies, automatic presentment currency detection, and real-time FX conversion across all supported PSPs.

Apple Pay & Google Pay

Native wallet payment methods are surfaced automatically when the browser and device support them — no additional integration work required.

3DS2 / SCA Native

Strong Customer Authentication challenges are handled natively within the SDK flow. Merchants see only the final authorised or declined result.

Unified Webhook Notifications

A single normalised webhook schema regardless of which PSP processed the payment — authorised, captured, declined, refunded, or disputed.

Accept Your First Payment in Under a Day

Register for early access to PayServ Hosted Payments. Sandbox credentials, SDK documentation, and a Postman collection are issued immediately on approval.